Author Archive

BSDCan – May 15-19, Ottawa, Canada. We won’t be doing a formal presentation here this year, but several of us will be in attendance. Get in touch if you’d like to meet up.

Texas Linux Fest – May 31-June 1, Austin, Texas. We’ll have a table here in the exhibition space, please stop by if you’ll be in attendance. We’re headquartered in Austin and are always glad to meet with folks here when schedules permit.

SouthEast Linux Fest – June 7-9, Charlotte NC. I’ll be presenting a talk on all the latest with the project, and we’ll also have a table in the exhibition space.

Change List

Security Fixes

Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.

These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.

It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.

If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.

This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.

Great news for many pfSense users today, as OpenVPN Technologies in collaboration with Apple have released an OpenVPN client for iOS.

Within hours of its release, Jim Pingle updated our OpenVPN Client Export package’s inline export option to be compatible with iOS (and retaining its Android compatibility). The inline export is available for 2.0.x and 2.1 versions. Upgrade your package under System>Packages to the latest version and use the inline export option, which can be imported into the iOS client via iTunes amongst other methods. I had my iPhone connected to OpenVPN within 5 minutes, it’s a quick, easy process.

pfSense 2.0.2 is a maintenance release with some bug and security fixes since 2.0.1 release. You can upgrade from any previous release to 2.0.2.

Heads up for those upgrading

Auto Update URL – For those upgrading from a prior release, first please make sure you’re on the correct auto-update URL. Tens of thousands of installs were from 2.0 pre-release snapshots which had their update URL set to the snapshot server rather than the stable release updates. Others had manually set their architecture incorrectly at some point and had failed upgrades because of it. Just browse to System>Firmware, Updater Settings tab. From the “Default Auto Update URLs” drop down box, pick either the stable i386 or amd64 depending on which version you have installed, and click Save. Then you can use the auto-update and be ensured you’re pulling from the correct location.Read the rest of this entry »

The FreeBSD Foundation has put out their year-end fundraising campaign. The FreeBSD Foundation sponsors development of the underlying OS that pfSense is based on. We made a donation as we do every year, and we encourage our users to do the same. They are a 501(c)3 non-profit organization, so US contributors may be able to deduct contributions on their taxes.

pfSense could also use your direct donations to fund general expenses, project development and needed equipment. You can donate directly to us here, though note we’re not a 501(c)3.

Ermal and I will be doing a full day pfSense 2.1 tutorial at EuroBSDCon 2012, October 18 in Warsaw, Poland. Registration has just opened. This will be a training-focused session, going through many of the features common to every version, covering changes in 2.1, with focus on IPv6 in each portion of the system.

I will be presenting on pfSense 2.1 and IPv6 at Texas Linux Fest, August 3-4 in San Antonio. We’ll also have a table in the exhibition area where I’ll be camped out most of both days talking to users, so if you’re in the area, stop by! Our friends at Netgate are providing an ALIX we’ll be giving away. Look forward to meeting many of you there.

Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.

pfSense 2.0.1 release is now available. This is a maintenance release with some bug and security fixes since 2.0 release. This is the recommended release for all installations. As always, you can upgrade from any previous release to 2.0.1, so if you haven’t upgraded to 2.0 yet, just upgrade straight to 2.0.1. For those who use the built in certificate manager, pay close attention to the notes below on a potential security issue with those certificates.